Bugmithlegend

**Name of the Vulnerable Software and Affected Versions** CI4MS versions prior to 0.31.5.0 **Description** A Stored DOM XSS (Cross-Site Scripting) issue exists in the backup module. An attacker can manipulate the filename field using an SQL file to inject a hidden XSS payload, potentially leading to full account takeover and privilege escalation. **Recommendations** Update to version 0.31.5.0. As a temporary workaround, restrict access to the backup module to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions CI4MS versions prior to 0.31.2.0 Description CI4MS, a CodeIgniter 4-based CMS skeleton, is susceptible to a stored Cross-Site Scripting (XSS) issue. The application does not properly sanitize user-controlled input within the System Settings – Company Information section. Several administrative configuration fields, including Company Name, Slogan, Company Phone, Company Mobile, Company Email, Google Maps iframe link, and Company Logo, accept attacker-controlled input that is stored server-side and rendered unsafely on public-facing pages. The vulnerability impacts the public frontend and does not affect the administrative dashboard. The affected functionality includes System Settings – Company Information configuration and public-facing page rendering. An attacker can inject a malicious JavaScript payload into these fields, which is then stored and executed on public-facing pages, potentially leading to account takeover and platform-wide compromise. API endpoints include `/backend/settings/` (for injection) and the main landing page (for execution). Recommendations Update to version 0.31.2.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** The product name cannot be determined. (affected versions not specified) **Description** The application does not properly sanitize user-controlled input when updating profile names, allowing an attacker to inject a malicious JavaScript payload. This payload is stored server-side and executed when the name is rendered in multiple application views, leading to stored cross-site scripting (XSS). The issue affects user profile storage and retrieval logic, as well as endpoints such as `/backend/users/profile/` and `/backend/users/`. The vulnerability can lead to privilege escalation and account takeover, particularly when viewed by administrators and on public-facing pages displaying user profiles. The attack scenario involves an attacker updating their profile name with an XSS payload, which then executes in the browsers of users who view the profile, potentially leading to administrative privilege escalation and full admin account takeover. **Recommendations** 1. Eliminate unsafe DOM sinks such as `.html()`, `innerHTML`, and replace them with safe alternatives like `.text()` or `textContent`. 2. Implement context-appropriate HTML entity encoding for all user-controlled data before rendering it in the DOM. 3. Implement server-side input sanitization on all user-controlled fields, especially profile name fields, before storing values in the database. 4. Apply a defense-in-depth approach, combining input validation, output encoding, and Content Security Policy (CSP) headers.

**Name of the Vulnerable Software and Affected Versions** CI4MS versions prior to 0.31.0.0 **Description** CI4MS, a CodeIgniter 4-based CMS, is susceptible to a stored Cross-site Scripting (XSS) issue within the System Settings – Social Media Management section. The application does not properly sanitize user-controlled input in the 'Social Media' and 'Social Media Link' configuration fields, leading to the storage and subsequent rendering of malicious payloads without appropriate output encoding. This results in same-page DOM-based XSS, where the injected payload breaks out of the input attribute context and executes immediately in the browser of an authenticated user managing settings. The affected functionality includes the System Settings – Social Media Management configuration, same-page rendering of user-controlled input fields, DOM attribute injection within form inputs, and the storage and retrieval of social media configuration values. An attacker can inject a malicious JavaScript payload into these fields, which is then stored and re-rendered without sanitization, leading to arbitrary JavaScript execution, potential administrative privilege escalation, and full account or platform compromise. The vulnerable API endpoint is `/backend/settings/`. The vulnerable parameters are `Social Media` and `Social Media Link`. **Recommendations** Versions prior to 0.31.0.0 should be updated to version 0.31.0.0 or later. Avoid unsafe DOM manipulation methods such as `.html()` and `innerHTML`. Implement HTML entity encoding on all user-controlled data before rendering it in the browser. Implement input sanitization to ensure all user-supplied input is properly sanitized before processing or output. Enforce security headers and cookie attributes, including Content Security Policy (CSP), the `HttpOnly` flag on session cookies, the `SameSite` attribute on cookies, and the `Secure` flag for HTTPS transmission.

**Name of the Vulnerable Software and Affected Versions** CI4MS versions prior to 0.31.0.0 **Description** CI4MS fails to properly sanitize user-controlled input within System Settings – Company Information. Several administrative configuration fields, including Company Name, Slogan, Company Phone, Company Mobile, Company Email, Google Maps iframe link, and Company Logo, accept attacker-controlled input that is stored server-side and later rendered without proper output encoding. This results in stored DOM-based Cross-Site Scripting (XSS) with immediate same-page execution. The vulnerability allows an attacker to inject a malicious JavaScript payload into these fields, which breaks out of the HTML attribute context and executes in the browser of the authenticated user managing settings. This can lead to administrative privilege escalation and full platform compromise. The affected API endpoint is `/backend/settings/` (Company Information). The vulnerable parameters are the input fields within the Company Information section. **Recommendations** Versions prior to 0.31.0.0: Upgrade to version 0.31.0.0 or later to address the vulnerability. Avoid unsafe DOM manipulation methods such as `.html()` and `innerHTML`. Apply HTML entity encoding to all user-controlled data before rendering it in the browser. Implement input sanitization to ensure all user-supplied input is properly sanitized before processing or output.

**Name of the Vulnerable Software and Affected Versions**: CI4MS versions prior to 0.31.0.0 **Description**: The application does not properly sanitize user-controlled input when handling backup uploads and processing backup metadata. An attacker can inject a malicious JavaScript payload into the backup filename via the uploaded `xss.sql` file, which uses SQL functionality to insert the XSS payload server-side. This stored payload is later rendered unsafely in multiple backup management views without proper output encoding, leading to stored blind cross-site scripting (Blind XSS). Affected API endpoints include `/backend/backup/upload`, `/backend/backup/`, and `/backup/{id}`. The vulnerable parameter is the backup filename. **Recommendations**: Update to version 0.31.0.0 or later.

**Name of the Vulnerable Software and Affected Versions** CI4MS versions prior to 0.31.0.0 **Description** The application does not properly sanitize user-controlled input when adding Pages to navigation menus through the Menu Management functionality. Page-related data selected via the Pages section is stored server-side and rendered without proper output encoding. This stored payload is then rendered unsafely within administrative interfaces and public-facing navigation menus, leading to stored DOM-based cross-site scripting (XSS). The vulnerable functionality includes the Menu Management – Pages section, adding pages to navigation menus, and the menu storage and rendering logic. An attacker can create or control a page containing a malicious JavaScript payload, add the page to the menu, and the payload will execute whenever the menu is rendered. This can lead to privilege escalation, full administrator account takeover, and full compromise of the application. The vulnerable API endpoint is `/backend/menu/`. **Recommendations** Versions prior to 0.31.0.0: Upgrade to version 0.31.0.0 or later to address the vulnerability. Avoid unsafe DOM manipulation methods such as `.html()` and `innerHTML`. Apply HTML entity encoding on all user-controlled data before rendering it in the browser. Implement input sanitization to ensure all user-supplied input is properly sanitized before processing or output. Enforce security headers and cookie attributes, including Content Security Policy (CSP), the `HttpOnly` flag, the `SameSite` attribute, and the `Secure` flag.

**Name of the Vulnerable Software and Affected Versions** CI4MS versions prior to 0.31.0.0 **Description** The application does not properly sanitize user-controlled input when adding Posts to navigation menus through the Menu Management functionality. Post-related data selected via the Posts section is stored server-side and rendered without proper output encoding. These stored values are rendered unsafely within administrative dashboards and public-facing navigation menus, resulting in stored DOM-based cross-site scripting (XSS). The vulnerable functionality involves adding posts to navigation menus via the `Posts` section in Menu Management. An attacker can create or control a post containing a malicious JavaScript payload, add it to the menu, and the payload will execute whenever the menu is rendered. This can lead to privilege escalation, full administrator account takeover, and full compromise of the application. The affected API endpoint is `/backend/menu/`. The vulnerability involves unsafe rendering of post entries in menu management, specifically when adding posts to navigation menus. **Recommendations** Prior to version 0.31.0.0, avoid unsafe DOM manipulation methods such as `.html()` and `innerHTML`. Apply HTML entity encoding to all user-controlled data before rendering it in the browser. Implement input sanitization to ensure all user-supplied input is properly sanitized before processing or output. Enforce security headers and cookie attributes, including Content Security Policy (CSP), the `HttpOnly` flag on session cookies, the `SameSite` attribute, and the `Secure` flag for HTTPS transmission.

**Name of the Vulnerable Software and Affected Versions** CI4MS versions prior to 0.31.0.0 **Description** The application does not properly sanitize user-controlled input when creating or editing blog tags. An attacker can inject a malicious JavaScript payload into the tag name field, which is then stored server-side. This stored payload is rendered unsafely across public tag pages and administrative interfaces without proper output encoding, leading to stored cross-site scripting (XSS). The affected functionality includes blog tag creation, editing, storage, and retrieval logic. The vulnerability can lead to the execution of arbitrary JavaScript in victims’ browsers, potentially resulting in privilege escalation, full administrator account takeover, and full application compromise. The affected API endpoints are `/backend/blogs/tags/` and `/blog/{id}`. The vulnerable parameter is the tag name field. **Recommendations** Apply output encoding to all user-controlled data before rendering it in the browser. Implement input sanitization to properly sanitize all user-supplied input before processing or output. Avoid unsafe DOM manipulation methods such as `.html()` and `innerHTML`. Enforce security headers and cookie attributes, including Content Security Policy (CSP), the `HttpOnly` flag on session cookies, the `SameSite` attribute, and the `Secure` flag.

**Name of the Vulnerable Software and Affected Versions**: CI4MS versions prior to 0.31.0.0 **Description**: CI4MS is a CodeIgniter 4-based CMS skeleton. Prior to version 0.31.0.0, the application renders user-controlled input unsafely within the logs interface, leading to a stored DOM Blind XSS scenario. If an XSS payload is present in logged data, it is rendered without proper output encoding. The attacker does not see immediate execution; the payload is stored in application logs and executes when an administrator views the logs page. The vulnerability can be triggered by accessing endpoints like `/backend/backup/restore/{payload}`, which logs the payload. When an administrator views the logs interface, the payload executes in their browser context. The affected functionality includes the application logging mechanism, logs storage and retrieval logic, and logs rendering within the administrative interface. The impact includes persistent stored Blind XSS, arbitrary JavaScript execution in administrators’ browsers, potential privilege escalation, and full application compromise. API endpoints include `/backend/logs/` and `/backend/backup/restore/{payload}`. **Recommendations**: Update to version 0.31.0.0 or later. Avoid unsafe DOM manipulation methods like `.html()` and `innerHTML`. Apply HTML entity encoding to all user-controlled data before rendering it in the browser. Implement input sanitization to prevent malicious input. Enforce security headers and cookie attributes, including Content Security Policy (CSP), the `HttpOnly` flag, the `SameSite` attribute, and the `Secure` flag.

**Name of the Vulnerable Software and Affected Versions** CI4MS versions prior to 0.31.0.0 **Description** The application does not properly sanitize user-controlled input when creating or editing blog categories. An attacker can inject a malicious JavaScript payload into the category title field, which is then stored server-side. This stored payload is later rendered unsafely across public-facing blog category pages, administrative interfaces, and blog post views without proper output encoding, leading to stored cross-site scripting (XSS). The affected functionality includes blog category creation and editing, as well as the storage and retrieval logic for blog categories. The attack involves creating or editing a blog category title with an XSS payload, which then executes automatically when the category title is rendered. The affected API endpoints are `/backend/blogs/categories/` and `/blog/{id}`. **Recommendations** Update to version 0.31.0.0 or later to address this issue. Avoid unsafe DOM manipulation methods such as `.html()` and `innerHTML`. Implement HTML entity encoding on all user-controlled data before rendering it in the browser. Implement input sanitization to ensure all user-supplied input is properly sanitized before processing or output.

**Name of the Vulnerable Software and Affected Versions** CI4MS versions prior to 0.31.0.0 **Description** The application does not immediately revoke active user sessions when an account is deleted. This is due to a logic flaw where account state changes are only enforced during login, not for existing sessions. The system incorrectly assumes authenticated users remain trustworthy even after account deletion, leading to indefinite access until manual logout. This breaks access control and allows persistent unauthorized access. The issue affects all authenticated endpoints, including administrative and content interfaces. **Recommendations** Immediately invalidate all active sessions when an account is deleted. Enforce account status checks on every authenticated request, not only during login. Introduce proper session expiration or account expiration mechanisms to prevent indefinite access. Correct the backend logic flaw to ensure access control behavior aligns with intended security design and does not rely on unsafe trust assumptions.

**Name of the Vulnerable Software and Affected Versions**: CI4MS versions prior to 0.31.0.0 **Description**: CI4MS, a CodeIgniter 4-based CMS skeleton, contains a Stored Cross-Site Scripting (Stored XSS) issue in the backend user management functionality. The application does not properly sanitize user-controlled input before rendering it in the administrative interface, allowing attackers to inject persistent JavaScript code. This code executes automatically when backend users access the affected page, potentially enabling session hijacking, privilege escalation, and full administrative account compromise. The vulnerability resides in the backend user creation feature accessible via the `/backend/users` API endpoint. User-supplied input in the `name` and `surname` fields is stored without validation or sanitization and is then injected into the HTML without output encoding. This allows attackers to embed malicious JavaScript payloads that execute in the context of authenticated backend users. **Recommendations**: Update CI4MS to version 0.31.0.0 or later.

**Name of the Vulnerable Software and Affected Versions** CI4MS versions prior to 0.31.0.0 **Description** The application does not immediately revoke active user sessions when an account is deactivated. This is due to a logic flaw where account state changes are only enforced during login, not for existing sessions. The system assumes authenticated users remain trusted indefinitely, lacking session or account expiration mechanisms. This allows deactivated accounts to retain access until manual logout, breaking access control and resulting in unauthorized access. This issue affects all authenticated endpoints, including administrative and content interfaces. **Recommendations** Immediately invalidate all active sessions when an account is deactivated. Enforce account status checks on every authenticated request. Introduce session expiration or account expiration mechanisms. Correct the backend logic flaw to ensure access control aligns with security design.

**Name of the Vulnerable Software and Affected Versions** CI4MS versions prior to 0.31.0.0 **Description** CI4MS, a CodeIgniter 4-based CMS, is susceptible to stored DOM-based cross-site scripting (XSS) through the Page Management functionality. The application does not properly sanitize user-controlled input in multiple fields during page creation or editing. These unsanitized values are stored server-side and rendered without output encoding in administrative page lists and public-facing page views, enabling the execution of malicious JavaScript payloads. Affected fields include Title, URL, Content, Cover Image, Image URL, Image Width, Image Height, SEO Description, and SEO Keywords. An attacker can inject a payload into these fields, which will then execute in the browsers of administrators, authenticated users, and visitors. The affected API endpoints are `/backend/pages/create`, the page list management view, and public-facing page views. **Recommendations** Versions prior to 0.31.0.0 should be updated to version 0.31.0.0 or later. Avoid using unsafe DOM manipulation methods like `.html()` or `innerHTML`. Implement HTML entity encoding on all user-controlled data before rendering it in the browser. Implement input sanitization to properly sanitize all user-supplied input. Enforce security headers and cookie attributes, including Content Security Policy (CSP), the `HttpOnly` flag, the `SameSite` attribute, and the `Secure` flag.

**Name of the Vulnerable Software and Affected Versions** CI4MS versions prior to 0.31.0.0 **Description** The application does not properly sanitize user-controlled input when creating or editing blog posts. An attacker can inject a malicious JavaScript payload into blog post content, which is then stored server-side. This stored payload is later rendered unsafely in multiple application views without proper output encoding, leading to stored cross-site scripting (XSS). The affected functionality includes blog post creation, editing, storage, and retrieval logic. Attackers can exploit this by inserting an XSS payload into blog post content, which then executes automatically when the post is viewed. Affected API endpoints include `/backend/blogs/create`, `/backend/blogs/`, and `/blog/{id}`. The vulnerable parameter is the blog post content itself. **Recommendations** Apply output encoding to all user-controlled data before rendering it in the browser. Implement input sanitization to properly sanitize all user-supplied input before processing or output. Enforce security headers and cookie attributes, including Content Security Policy (CSP), the HttpOnly flag, the SameSite attribute, and the Secure flag.

**Name of the Vulnerable Software and Affected Versions** CI4MS versions prior to 0.31.0.0 **Description** CI4MS is a CodeIgniter 4-based CMS skeleton providing a modular architecture with RBAC authorization and theme support. The application does not properly sanitize user-controlled input within the Methods Management functionality when creating or managing application methods/pages. Multiple input fields accept attacker-controlled JavaScript payloads that are stored server-side without sanitization or output encoding. These stored values are rendered directly into administrative interfaces and global navigation components without proper encoding, resulting in Stored DOM-Based Cross-Site Scripting (XSS). The issue occurs due to insufficient input validation and output encoding, allowing for the injection of malicious scripts. The vulnerable functionality involves the creation and management of application methods/pages. **Recommendations** Update CI4MS to version 0.31.0.0 or later.

**Name of the Vulnerable Software and Affected Versions** CI4MS versions prior to 0.31.0.0 **Description** CI4MS is a CodeIgniter 4-based CMS skeleton offering a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application does not properly sanitize user-controlled input within group and role management functionality. Multiple input fields related to groups can be injected with malicious JavaScript payloads, which are then stored on the server. These stored payloads are rendered unsafely within privileged administrative views without proper output encoding, leading to stored cross-site scripting (XSS) within the role and permission management context. The issue allows for privilege escalation to administrative levels. The affected input fields are related to group management. **Recommendations** Versions prior to 0.31.0.0 should be updated to version 0.31.0.0 or later.

**Name of the Vulnerable Software and Affected Versions** CI4MS versions prior to 0.31.0.0 **Description** CI4MS, a CodeIgniter 4-based CMS skeleton, does not properly sanitize user-controlled input within System Settings – Mail Settings. Configuration fields, including Mail Server, Mail Port, Email Address, Email Password, Mail Protocol, and TLS settings, accept attacker-controlled input that is stored server-side and rendered without proper output encoding. This results in stored, same-page DOM-based Cross-Site Scripting (XSS). The issue allows an attacker to inject a malicious JavaScript payload into these fields, which then executes immediately on the same settings page in the browser context of the authenticated user. The affected functionality includes the System Settings – Mail Settings configuration and the rendering of user-controlled input fields. The API endpoint `/backend/settings/` (Mail Settings) is involved. Vulnerable parameters include `Mail Server`, `Mail Port`, `Email Address`, `Email Password`, `Mail Protocol`, and `Domain`. **Recommendations** Versions prior to 0.31.0.0 should be updated to version 0.31.0.0 or later. Apply proper HTML encoding and input sanitization for all configuration fields. Enforce CSP, HttpOnly, SameSite, and Secure flags for cookies to reduce the severity of XSS and potential CSRF escalation. Audit all other system settings fields for similar attribute injection vulnerabilities.

Name of the Vulnerable Software and Affected Versions CI4MS versions prior to 0.31.0.0 Fortinet FortiOS (affected versions not specified) Description CI4MS, a CodeIgniter 4-based CMS skeleton, is susceptible to stored cross-site scripting (XSS) due to improper sanitization of user-controlled input when creating or editing blog posts in the Categories section. This allows an attacker to inject a malicious JavaScript payload into the Categories content, which is then stored server-side and rendered unsafely when the Categories are viewed via blog posts. Fortinet FortiOS is affected by a heap-based buffer overflow in the SSL VPN component, enabling attackers to gain full control of the firewall by sending a crafted packet without authentication. This impacts thousands of enterprise perimeters. Recommendations Update CI4MS to version 0.31.0.0 or later. Upgrade Fortinet FortiOS to version 7.4.6 or later, 7.6.1 or later, or the latest patched build via FortiGuard/auto-update and reboot.